SonicSpy Android Malware Records Audio And Takes Pictures

More than 4,000 samples of SonicSpy have been distributed since February, hidden in apps on Google Play and elsewhere

Researchers have uncovered thousands of Android applications infected with malware that can record audio from a device’s surroundings and take pictures, amongst other spying tactics.

The SonicSpy malware has been “aggressively” deployed since February, with several infected samples appearing on Google Play, according to computer security firm Lookout.

Google Play infiltrated

The firm said at least three infected applications, called Soniac, Hulk Messenger and Troy Chat, were found on Google Play. Soniac was downloaded between 1,000 and 5,000 times before it was removed by Google at Lookout’s request.

It isn’t clear how the other samples, which number more than 4,000, are being distributed, with possible channels including third-party app stores and targeted text messages that include a download link, Lookout said.

Soniac was marketed as a messaging application, and provided that service via a customised version of Telegram, which ironically was designed for ultra-secure communications.

But it also contains malicious features including the ability to record audio, take photos with the camera, make outbound calls, send text messages to numbers specified by the attacker and retrieve information including call logs, contacts and information about Wi-Fi access points.

Spying on users

“The overall SonicSpy family supports 73 different remote instructions, including those seen in the Soniac instance,” Lookout said in an advisory.

When installed SonicSpy removes the launcher icon, then establishes a connection to a command server and then tries to install its custom version of Telegram.

Lookout said it believes SonicSpy was created by the developer of a piece of malware called SonicNote reported by Palo Alto Networks last year. That developer, who is thought to be based in Iraq, used an automated desktop tool to mass-produce infected applications, meaning a similar technique could be in use with SonicSpy, Lookout said.

“Anyone accessing sensitive information on their mobile device should be concerned about SonicSpy,” Lookout wrote. “The actors behind this family have shown that they’re capable of getting their spyware into the official app store and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future.”